基于行为的反病毒解决方案未能独挡一面

 

Behavior-based AV solutions cannot stand alone
基于行为的反病毒解决方案未能独挡一面

Author: Tom Olzak
作者：Tom Olzak

翻译：endurer，2008-08-09 第1版

Category: Security, Virus, Threats, Intrusion Detection, Antivirus, Spyware, Malware, Internet
分类：安全，病毒，威胁，入侵检测，反病毒，间谍软件，恶意软件，互联网

Tags: Malware, Behavior Analysis, Signature Comparison, Spyware, Adware & Malware, Cyberthreats, Viruses And Worms, Security, Tom Olzak
标签：恶意软件，行为分析，特征码比较，间谍软件，广告软件 & 恶意软件，电脑网络威胁，病毒和蠕虫，安全，Tom Olzak

英文来源：http://blogs.techrepublic.com.com/security/?p=531&tag=nl.e101

Someday, behavior analysis might replace signature comparison in AV solutions.  But I don’t think so.  Like all security controls, these two approaches to detecting malware are layered defenses, supporting each other, identifying threats the other misses.

某一天，行为分析可能在反病毒解决方案中取代特征码比较。但我不这么认为。像所有安全控制一样，这两种检测恶意软件的方法是层叠防御，互相支持，鉴别对方漏掉的威胁。


Not every break-through security product is a good idea, an effective solution for protecting devices from the effects of malware attacks.  This seems to be the case with a new product called NovaShield AntiMalware 2.0.

并非每个突破性的安全产品都是一个好的主意，一个保护设备免受恶意软件攻击影响的有效解决方案。一款名为诺瓦盾反恶意软件（NovaShield AntiMalware） 2.0的新产品看来就是这种情况。

Earlier this year, NovaShield, Inc. announced that it had received a $500,000 grant from the U.S. National Science Foundation (NSF) to enable completion and introduction of a new behavior-based anti-malware product (RedOrbit, 3 March 2008).   Detecting malware based on behavior instead of the traditional signature comparison approach is touted as being a better defense against zero-day attacks.  Attacks that occur before AV vendors can update customer signature files.  I agree with this view, but I’ve yet to see a product that effectively defense using behavior heuristics alone, without support from signature reviews.  NovaShield AntiMalware 2.0, released this week and priced at $19.95, seems to reinforce this point.

今年早些时候，NovaShield, Inc声称已收到来自于美国国家科学基金会（NSF）的500，000美元拨款，以使新的基于行为的反恶意软件产品能够完成并推介（redorbit，2006年3月3日）。用基于行为替代传统的特征码比较的方法来检测恶意软件被用于一个为对付零日攻击的更好的防御。该攻击出现在防病毒产品供应商能升级客户特征码文件之前。我同意这个观点，但我还没有看到过一个单独使用行为启发式，无需特征码复审就能有效防御的产品。本周发布的、售价19.95美元的瓦盾反恶意软件2.0，似乎增援了这一点。


Neil J. Rubenking posted the results of his NovaShield test at pcmag.com.  He gave it a rating of “Poor,” with the following bottom line comments:

Neil J. Rubenking公布了他的诺瓦盾在pcmag.com测试的结果。他给了它“Poor（稍逊）”等级，及下列结果注释评论：

《endurer注：1。bottom line：末行数字,结果》
NovaShield AntiMalware aims to block malware by detecting malicious behaviors. In testing it was a near-total flop, though it detected several valid utilities as “high risk” threats. And it rendered two test systems unusable. There’s no reason to buy this when you can get ThreatFire free.

诺瓦盾反恶意软件旨在通过检测恶意行为来封锁恶意软件。在测试中，它近乎彻底失败，尽管检测到了几个“高风险”威胁的有效利用。并且它提供的两个测试系统无法使用。当您可以免费得到ThreatFire时，就没有理由购买该产品了。

《endurer注：1。aim to：目的在于(旨在,志在)
2。ThreatFire前身为Cyberhawk，被PCTools收购后的改名为ThreatFire，是一个传统安全软件的辅助工具,可以弥补许多传统安全软件防护不足的地方,依照ThreatFire自己的说法,它可以与原有的反病毒、反间谍、防火墙等软件共存》
The only positive Rubenking had to say was it installed quickly.

惟一可以说是稍挽颜面的是它安装快速。

NovaShield isn’t the only AV vendor trying to get to market with a behavior analysis engine.  As mentioned in the PC Magazine review, ThreatFire is a free behavior detection product, but the company positions its product as a supplement to signature-based solutions.  Not a replacement.  Figure 1 depicts alleged detection improvements when using ThreatFire with popular AV products.

诺瓦盾不是惟一一个尝试用行为分析引擎来获取市场的反病毒产品供应商。PC Magazine的评论曾提到，ThreatFire是一个免费的行为检测产品，但公司将该产品定位为基于特征码的解决方案的补充，而不是代替品。图1描绘了当ThreatFire与threatfire与流行的反病毒产品配合使用时的检测改善情况。

Figure 1: Increased Protection when Using ThreatFire
图1：使用ThreatFire时增加的保护
All the main AV vendors (e.g. McAfee, Trend, and Symantec) have integrated some level of behavior analysis into their malware defense products.  However, none are making claims that behavior heuristics alone provide sufficient protection.

所有的主要反病毒产品提供商（例如麦克菲, 趋势科技, 和 赛门铁克）已将一些级别的行为分析集成到其恶意软件防御产品中。然而，没有一个声称行为启发式单独提供了足哆的保护。

Someday, behavior analysis might replace signature comparison in AV solutions.  But I don’t think so.  Like all security controls, these two approaches to detecting malware are layered defenses, supporting each other, identifying threats the other  misses.  Whether located on desktops or in intrusion defense appliances, only a combination of the two provides sufficient protection to networks and end-user devices.

某一天，行为分析可能在反病毒解决办案中取代特征码比较。但我不这么认为。像所有安全控制一样，这两种检测恶意软件的方法是层叠防御，互相支持，鉴别对方漏掉的威胁。无论是在桌面系统或在入侵防御应用程序中，只有两者的结合才能向网络和终端用户设备提供足够的保护。